about ASA55xx syslog

Unanswered Question
Jun 10th, 2007

Dear Sirs,

First, I'm not Bilingual so excuse my English.

Sending System Log Messages to a Syslog Server

If you specify TCP, the security appliance discovers when the syslog server fails and discontinues sending logs.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/monitor.htm#wp1064726

Is the function of sending again of syslog provided ?

Best regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
anandramapathy Sun, 06/10/2007 - 22:22

You will have to rekey the command.

( See the url below )

After the Syslog service is restored, you have to reconfigure the TCP Syslog connection manually by entering the logging host if_name ip_address tcp/port configuration command.

I guess the best option is to configure 2 syslog servers.

##################

http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2&rl=1

##################

In fact, the TCP Syslog method is designed to be so reliable that the connection closes if the Syslog server becomes unavailable or if its logging storage becomes full. At this point, the firewall immediately stops forwarding traffic and generates a "201008: The PIX is disallowing new connections" message. You can also see this with the show logging command, as in the following example. Notice that TCP Syslog is still configured to use the Syslog server but is shown as disabled:

Firewall# show logging

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level informational, 716 messages logged

Trap logging: level informational, 162 messages logged

Logging to inside 172.21.4.1 tcp/1470 disabled

History logging: disabled

Device ID: hostname "Firewall"If this condition occurs, check the Syslog server and determine the source of the problem. After the Syslog service is restored, you have to reconfigure the TCP Syslog connection manually by entering the logging host if_name ip_address tcp/port configuration command.

hsasaki_cert Mon, 06/11/2007 - 02:08

Thank you very much for your help.

At the trouble, Is the switch smoothly divided the loss of the packet?

Sincerely,

anandramapathy Mon, 06/11/2007 - 02:15

If the ASA is not able to log to primary & you are are using tcp for Syslog, then the ASA will automatically try to log to the 2 nd syslog server. There will not be packet loss since we are using TCP.

In case of UDP the logging will continue to happen despite the Syslog server going down ( it will be sending messages but no use since the Sys log is down )

Actions

This Discussion